Lucene search

K

GoogleOSV:CVE-2022-29197

HistoryMay 20, 2022 - 10:16 p.m.

CVE-2022-29197

2022-05-2022:16:40

Google

osv.dev

3

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.3%

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of tf.raw_ops.UnsortedSegmentJoin does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack. The code assumes num_segments is a scalar but there is no validation for this before accessing its value. Versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4 contain a patch for this issue.

References

github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/core/kernels/unsorted_segment_join_op.cc#L92-L95

github.com/tensorflow/tensorflow/commit/13d38a07ce9143e044aa737cfd7bb759d0e9b400

github.com/tensorflow/tensorflow/releases/tag/v2.6.4

github.com/tensorflow/tensorflow/releases/tag/v2.7.2

github.com/tensorflow/tensorflow/releases/tag/v2.8.1

github.com/tensorflow/tensorflow/releases/tag/v2.9.0

github.com/tensorflow/tensorflow/security/advisories/GHSA-hrg5-737c-2p56

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.3%

Related for OSV:CVE-2022-29197

osv2 cvelist1 cve1 prion1 nvd1 github1 ibm2 openvas1